ReadWrite - gnulinuxhttp://readwrite.com/tag/gnulinux
enCopyright 2015 Wearable World Inc.http://blogs.law.harvard.edu/tech/rssTue, 03 Mar 2015 12:20:03 -0800How A Linux "Ghost" Spooked The Security World<!-- tml-version="2" --><div tml-image="ci01c5bd8cf0012a83" tml-image-caption="" tml-render-layout="inline"><figure><img src="http://a3.files.readwrite.com/image/upload/c_fill,cs_srgb,dpr_1.0,q_80,w_620/MTI3NzE2NTc2OTMyNjk3MzYy.jpg" /><figcaption></figcaption></figure></div><p>A vulnerability in a widely used component of many Linux distributions could allow remote attackers to take control of a system. <a href="https://community.qualys.com/blogs/laws-of-vulnerabilities">Researchers at Qualys</a> have dubbed it Ghost since it can be triggered by the "gethost" functions in Linux. </p><blockquote tml-render-layout="inline"><p><strong>See also: </strong><a href="http://readwrite.com/2014/10/17/poodle-ssl-30-sslv3-how-to-protect-yourself"><strong>How To Protect Yourself Against The Internet "Poodle" Attack</strong></a></p></blockquote><p>The vulnerability can be found in the in the GNU C Library, known as glibc for short. Without glibc, a Linux system couldn’t function. The flaw is found in <strong>__nss_hostname_digits_dots()</strong>, a glibc function that's invoked by the <strong>gethostbyname()</strong> and <strong>gethostbyname2()</strong> function calls. An attacker able to access either function could take remote control of the entire Linux system. </p><p>A series of misfortunes have helped Ghost to slip through the cracks. First of all, the bug had been previously identified and fixed back on May 21, 2013, as <a href="https://community.qualys.com/blogs/laws-of-vulnerabilities">Qualys CTO&nbsp;Wolfgang Kandek writes</a>. However, at the time it was seen only as a flaw, not a threat, and no further patching was done:</p><blockquote><p>Unfortunately, it was not recognized as a security threat; as a result, most stable and long-term-support distributions were left exposed including Debian 7 (wheezy), Red Hat Enterprise Linux 6 &amp; 7, CentOS 6 &amp; 7, Ubuntu 12.04, for example.”</p></blockquote><p>Secondly, since Ghost affects a code library that's integral to the Linux system, patching it is no simple fix. Patching the GNU C Library will mean that the Linux core functions, or the entire affected server, will have to be rebooted. Companies will have to schedule that downtime, which means affected servers could stay vulnerable for some time longer. </p><p>With all the worlds’ Linux distributions to choose from, it’s unlikely your homebrew Linux server is anywhere near high risk. And now that <a href="https://rhn.redhat.com/errata/RHSA-2015-0090.html">Red Hat</a>, <a href="https://security-tracker.debian.org/tracker/CVE-2015-0235">Debian,</a> <a href="https://launchpad.net/ubuntu/+source/eglibc">Ubuntu</a> and <a href="http://support.novell.com/security/cve/CVE-2015-0235.html">Novell</a> have all issued patches, Linux server operators have the resources to stay in the clear.&nbsp;</p><p><em>Photo by <a href="https://www.flickr.com/photos/jonfeinstein/4081061740/">Jon Feinstein</a></em></p>First, a known vulnerability was fixed. Then it was unfixed.http://readwrite.com/2015/01/28/linux-vulnerability-ghost-arises
http://readwrite.com/2015/01/28/linux-vulnerability-ghost-arisesWebWed, 28 Jan 2015 09:39:43 -0800Lauren OrsiniWhy Node.js Is Facing A Possible Open-Source Schism<!-- tml-version="2" --><div tml-image="ci01befe203001efe2" tml-image-caption="" tml-bad-render-layout="inline"><figure><img src="http://a1.files.readwrite.com/image/upload/c_fill,cs_srgb,dpr_1.0,q_80,w_620/MTI1ODE3MjUzMDA1NDAwNTQy.jpg" /><figcaption></figcaption></figure></div><p>Node.js, a hugely popular open-source framework for building Web applications, could be headed for a painful schism unless its restive contributors and the project's corporate lead, Joyent, can come to terms.</p><p>At stake is a possible "fork" in the Node codebase, a change proposed by some of Node's most important developers, who are frustrated with the project's pace and other issues under Joyent's oversight. A fork would divide the open-source community that supports Node, potentially creating multiple versions of the software, confusion among its users, and business problems for Joyent.</p><blockquote tml-bad-render-layout="inline"><p><strong>See also: <a href="http://readwrite.com/2014/08/22/nodejs-node-js-tj-fontaine-version-10">Why The JavaScript World Is Still Waiting For Node.js 1.0</a></strong></p></blockquote><p>At the moment, the threat of a forked Node remains real, although Joyent has taken some steps to placate the dissidents. The company recently created <a href="https://github.com/joyent/nodejs-advisory-board">a new advisory board</a> intended to give Node contributors more of a voice in the project's direction; that group <a href="https://github.com/joyent/nodejs-advisory-board/blob/master/meetings/20141023.md">held its first meeting</a> on October 23.</p><p>A fork could still happen, Joyent CEO Scott Hammond admitted to me in an interview last week, although he says that "would certainly surprise me."</p><p>Node's would-be forkers, meanwhile, are keeping their own counsel. Five of the six main dissidents declined to respond to my inquiries by email and Twitter. The sixth, Ben&nbsp;Noordhuis, replied with a cryptic note advising me to "check <a href="https://github.com/node-forward">Node Forward</a> for announcements in the near future."</p><p>Node Forward is the GitHub repository once intended to host&nbsp;the forked version of Node—which it presumably could still do. At the moment, it's home&nbsp;to an ongoing discussion about the future of Node.</p><h2>A Forking Nightmare</h2><p>Roughly a month ago, six&nbsp;<a href="http://dtrejo.com/why-is-node-being-forked.html">high-ranking Node contributors</a>—including Isaac Schlueter, Node’s former project lead—proposed forking the Node project in order to loosen Joyent's control over it. (Blogger David Trejo was one of the first to <a href="http://dtrejo.com/why-is-node-being-forked.html">write about the possibility of a Node fork</a>.) Those dissidents include&nbsp;<a href="https://github.com/joyent/node/graphs/contributors">five of Node's top seven contributors</a> (numbers 2, 3, 4, 5 and 7, to be precise).</p><p>In a <a href="https://cloudup.com/iXElAwMeMHS">Google Hangout still available online</a>, five of those developers talked about ways to democratize the project and complained that Joyent's oversight was slowing the project—for instance, by complicating the process of prioritizing and fixing bugs.&nbsp;The contributors batted around ideas on which parts of "Joyent Node" to include in a new Node Forward version of the framework, and appeared to express other frustrations via live chat that's not visible to viewers.</p><p>The developers also noted that current project management had locked them out of some Joyent resources. Bert Belder, Node's number-four contributor, said he could no longer access his chat logger in the official Node IRC chat. Schlueter chimed in with his own recent difficulty with&nbsp;<a href="https://github.com/isaacs/ircretary">irceretary</a>, a Joyent resource for channel-logging the IRC chat—a program Schlueter himself had created as project lead.</p><p>"I can't manage irceretary<a href="https://github.com/isaacs/ircretary"></a>&nbsp;anymore," he said at the <a href="https://cloudup.com/iXElAwMeMHS">35:00 mark</a>. "There's a bug and a fix I want to push. I pinged TJ [Fontaine, Node's current project manager] to be like, hey, let me go do this thing, and he just responded with silence."</p><blockquote tml-bad-render-layout="inline"><p><strong>See also: </strong><a href="http://readwrite.com/2014/10/16/linux-linus-torvalds-community-mistakes-toxic-environment"><strong>Linus Torvalds: I Made A "Metric S---load" Of Community-Building Mistakes</strong></a></p></blockquote><p>Many other developers have flocked to Node Forward to express their frustrations about Joyent's tight control over information and what they say is its lack of interest in taking feedback from the project's contributors and users.</p><p>“I'm quite frustrated by the lack of communication from the project lead to the community,” contributor <a href="https://github.com/node-forward/roadmap/issues/1#issuecomment-58981792">Ron Korving wrote in mid-October</a>. “In fact, it feels like the community is pretty much being ignored right now, including those who contribute the most.”</p><p>These contributors were especially concerned with Joyent’s power over the project. A company or creator that maintains indefinite control over an open source project is usually dubbed a Benevolent Dictator For Life (BDFL)—and not always fondly. Linus Torvalds of Linux is probably the most famous of these, and even his contributors <a href="http://readwrite.com/2014/10/16/linux-linus-torvalds-community-mistakes-toxic-environment">aren’t always happy</a>.</p><h2>Fork It All</h2><p>Popular open source projects like Node have thousands of contributors who don’t always agree how the project should be managed. Threats to “fork” a project by taking the code base in a different direction—and bringing a substantial portion of the original community with it—are extremely common.</p><p>They also usually never come to pass. Some developers always seem to be threatening to <a href="https://mail.python.org/pipermail/python-dev/2010-October/105016.html">fork the programming language Python 2.7</a>&nbsp;in order to bypass Python 3, an upgrade many coders disliked. Yet that particular fork-fest has never gotten underway, largely because its proponents remain a minority in the overall Python community.</p><blockquote tml-bad-render-layout="inline"><p><strong>See also: <a href="http://readwrite.com/2014/01/17/nodejs">How Node.js Stays On Track</a></strong></p></blockquote><p>But when contributors are high-ranking enough and have a clear understanding of the hard work behind managing an open source community, forks can and do happen. For example, users initiated the successful <a href="https://mariadb.org/">MariaDB</a> fork of the open-source MySQL database after Oracle acquired it and began moving the project in directions the community didn't like.</p><p>Joyent had no choice but to take the threat of a Node fork seriously, given the prestigious forkers behind it—and the growing number of developers who support them.</p><h2>No Forking Way</h2><p>Joyent's biggest steps so far has been to create the&nbsp;<a href="http://nodejs.org/about/advisory-board/">Node Advisory Board</a>. It's&nbsp;a newly formed collection of primarily corporate representatives intended to give&nbsp;people outside Joyent more of a voice in the project’s direction from now on, Hammond told me.</p><div tml-image="ci01a87e1f2d5f860f" tml-image-caption="TJ Fontaine, Node.js Project Lead" tml-bad-render-layout="inline"><figure><img src="http://a5.files.readwrite.com/image/upload/c_fill,cs_srgb,dpr_1.0,q_80,w_620/MTE5NTU2MzIzOTI0OTM2MjAz.jpg" /><figcaption>TJ Fontaine, Node.js Project Lead</figcaption></figure></div><p>Hammond notes that five years after Node's debut, users have downloaded the software to 2 million sites; tens of thousands of organizations have adopted it. Along the way, Node users have grown more diverse—spanning corporate clients, developers, and dabblers.</p><p>“As the community grows in complexity, there’s been no real forum for constituents to come together and weigh in on the Node project,” he said.&nbsp;</p><p>Joyent appointed two of the forking superstars—Schlueter and Belder—<a href="http://nodejs.org/about/advisory-board/members/">to the advisory board</a><a href="http://nodejs.org/about/advisory-board/members/#index_md_bert_belder"></a>. Schlueter and Belder are Node's #2 and #4 contributors, respectively. Neither developer returned repeated messages seeking comment.</p><p>Still, the dissidents are vastly outnumbered on the board by representatives of established industry. Six of the board's 15 members hail from huge companies such as Walmart, IBM, Microsoft and Netflix. Two more—Hammond and Fontaine—are from Joyent, giving industry a majority of the panel.</p><p>It's also not clear exactly what the panel will do. It doesn't actually have any authority over the Node project; its charter explicitly states that the board is not "intended to serve as an authoritative governance board." The board, according to the charter, "advises, but does not manage the Node.js project core committers team leadership."</p><h2>What A Forking Mess</h2><p>Advisory boards have a mixed history in big open-source projects.&nbsp;Open platform Docker is supposedly run by an&nbsp;<a href="https://www.docker.com/community/governance/">advisory board</a>, but it's still just barely getting off the ground six months after its April announcement; it held its <a href="http://blog.docker.com/2014/11/docker-governance-advisory-board-output-of-first-meeting/">first meeting</a> earlier this month.&nbsp;</p><p>The open-source cloud-platform project&nbsp;<a href="http://cloudfoundry.org/about/index.html">CloudFoundry</a> has been more successful. Its advisory board has actually existed for some time, but then the project has always been largely driven—and used by—corporations rather than individuals. Node, by contrast, arose as more of a grass-roots effort.</p><p>The Node advisory board has met twice so far, although it hasn't yet posted an agenda or minutes for either meeting on <a href="https://github.com/joyent/nodejs-advisory-board">its GitHub page</a>. Hammond said the group&nbsp;spent its first meeting “surfacing all the issues and understanding the purpose of the advisory board.”&nbsp;</p><p>From Hammond's perspective, the board should address open-source contributors' concerns about Joyent employee TJ Fontaine as Node’s BDFL.</p><p>“I think the project has outgrown the benevolent dictator model, at least that is what I consistently hear from the community,” he said. Under Fontaine, Hammond said, "the core team evolved on its own as a consensus driven model. We need to communicate that better.”</p><p>Joyent can’t really afford to lose some of Node’s biggest supporters at a time when major companies like Walmart are <a href="http://readwrite.com/2014/07/15/bet-big-node-js">betting big</a> on it. Joyent needs to move cautiously to ensure that at this delicate time, Node continues to look like the best choice for business even if it's technically still in beta, <a href="http://readwrite.com/2014/08/22/nodejs-node-js-tj-fontaine-version-10">shy of the version 1.0 milestone</a>.</p><p>Now the question is whether the new panel is enough to convince Node community members that Joyent truly values their input. Stay tuned.</p><p><em>Lead photo by <a href="https://www.flickr.com/photos/bexross/3212600561">Bex Ross</a>; photo of TJ Fontaine, Node JS Project Lead at Joyent, by Lauren Orsini</em></p>Key contributors vs. the project's corporate overseer.http://readwrite.com/2014/11/12/node-js-joyent-possible-fork-schism
http://readwrite.com/2014/11/12/node-js-joyent-possible-fork-schismHackWed, 12 Nov 2014 08:17:16 -0800Lauren OrsiniYahoo Denies Shellshock Hack, Blames Breach On Copycat Code<!-- tml-version="2" --><p>Yahoo said that hackers who accessed three of its servers did not use the bash “Shellshock” bug to gain access, rescinding the company’s earlier statement. </p><p>Yahoo’s Chief Information Security Officer <a href="https://www.linkedin.com/in/alexstamos">Alex Stamos</a> summarized the situation in a <a href="https://news.ycombinator.com/item?id=8416393">Hacker News post</a> Monday: </p><blockquote><p>“Earlier today, we reported that we isolated a handful of servers that were detected to have been impacted by a security flaw. After investigating the situation fully, it turns out that the servers were in fact not affected by Shellshock.”</p></blockquote><p>After taking a closer look, Yahoo said the hackers wrote malicious code that impersonated Yahoo’s own software in order to enter the system. While Stamos believes the hackers were looking for Shellshock-vulnerable servers, it was their mimicry, not the bug, that allowed them to gain access to the system. </p><blockquote><p><strong>See also: </strong><a href="http://readwrite.com/2014/10/06/yahoo-servers-fall-victim-to-shellshock-bug"><strong>Yahoo Games Hit By Shellshock Bug, Researcher Reports</strong></a></p></blockquote><p>Any sort of hack is serious, but Stamos said that the hackers' attack was less serious than if they’d used Shellshock, since Yahoo’s user data appears to be safe. </p><p>“The affected API servers are used to provide live game streaming data to our Sports front-end and do not store user data. At this time we have found no evidence that the attackers compromised any other machines or that any user data was affected.” </p><p>Stamos also defended against security researcher Jonathan Hall’s allegations that Yahoo refused to compensate him for discovering the Yahoo compromise. Hall, who first documented the hack on <a href="http://www.futuresouth.us/yahoo_hacked.html">his website</a>, later suggested on <a href="https://www.reddit.com/r/technology/comments/2ifbjb/yahoo_got_hacked_this_morning_hooray_for/?utm_source=dlvr.it&amp;utm_medium=twitter">Reddit</a> that Yahoo was ungrateful for the assistance, of which it <a href="http://mashable.com/2013/10/01/yahoo-bug-bounty-25-dollar-voucher/">has a history</a>.</p><p>“Yahoo takes external security reports seriously and we strive to respond immediately to credible tips,” said Stamos. “We monitor our Bug Bounty and security aliases 24x7, and our records show no attempt by this researcher to contact us using those means.”</p><p>Hall is sticking to his guns, however, asserting the hack is indeed due to Shellshock. His latest post, "<a href="http://www.futuresouth.us/wordpress/?p=25">Is Alex Stamos full of crap, or just the victim of an honest mistake? Either way, your data is NOT safe</a>," contains pasted code of Hall continuing to allegedly compromise the servers using Shellshock.&nbsp;</p><blockquote><p><strong>See also: </strong><a href="http://readwrite.com/2014/10/02/shellshock-bash-bug-faq-explainer"><strong>Everything You Need To Know About The Shellshock Bug</strong></a></p></blockquote><p>"I am flat out accusing Stamos and Yahoo of being dishonest and inaccurate in their reports of this breach, as well as being grossly negligent to their users and shareholders by releasing inaccurate and misleading information," Hall wrote.</p><p><em>Photo of Alex Stamos by <a href="https://www.flickr.com/photos/maassively/12818899113/">Dave Maass</a></em></p>One security researcher begs to differ.http://readwrite.com/2014/10/07/yahoo-revises-shellshock-statement
http://readwrite.com/2014/10/07/yahoo-revises-shellshock-statementWebTue, 07 Oct 2014 06:50:53 -0700Lauren OrsiniYahoo Games Hit By Shellshock Bug, Researcher Reports<!-- tml-version="2" --><p>The Shellshock bug is bad news, and Yahoo may've just found out first hand.&nbsp;</p><p>At least two servers for Yahoo Games were allegedly&nbsp;breached in a hack discovered by security researcher Jonathan Hall. &nbsp;</p><p>Hall says he found evidence that Romanian hackers gained access to at least two of Yahoo’s servers by exploiting the Shellshock bug, a vulnerability in bash, a low-level program used to execute other programs. By exploiting the bug, hackers can gain remote access of servers and systems. Hall said Yahoo's servers were vulnerable because they were using an older version of bash.</p><p>Hall, a Unix expert with Future South <a href="http://www.futuresouth.us/yahoo_hacked.html"></a>Technologies,<a href="http://www.futuresouth.us/yahoo_hacked.html"></a>&nbsp;<a href="http://www.futuresouth.us/yahoo_hacked.html">offers a lengthy explanation </a>on the tech consulting firm's website, where he describes how he tracked the breach to Yahoo’s game servers. Hall also shares an email he says he received from Yahoo confirming the breach. Since millions of people play Yahoo games every day, they make an ideal target for hackers.&nbsp;</p><blockquote><p><strong>See also: </strong><a href="http://readwrite.com/2014/10/02/shellshock-bash-bug-faq-explainer"><strong>Everything You Need To Know About The Shellshock Bug</strong></a></p></blockquote><p>If hackers gained control of a Yahoo server using Shellshock, they could potentially steal user information, deliver malware to vulnerable computers and take control of the system. So you'd think Yahoo would be grateful for the information. Hall, however, claims Yahoo did not reward him for the discovery, instead telling Hall that his findings didn’t qualify for its bug bounty program.</p><p>“I literally gave them two servers that were hacked, of which there were most likely more—without a doubt—considering one gets a public DNS response of a private IP address… And that doesn’t qualify? What a joke,” Hall <a href="https://www.reddit.com/r/technology/comments/2ifbjb/yahoo_got_hacked_this_morning_hooray_for/?utm_source=dlvr.it&amp;utm_medium=twitter">posted on Reddit</a>.</p><p>Yahoo has a poor track record when it comes to rewarding security researchers who uncover serious flaws, Mashable notes. Where a similar bug might net <a href="http://readwrite.com/2011/07/29/facebook_to_offer_bug_bounty_program_with_rewards">five figures at Facebook</a>, Yahoo is more in the habit of awarding <a href="http://mashable.com/2013/10/01/yahoo-bug-bounty-25-dollar-voucher/">$25 vouchers</a>&nbsp;which can be used to purchase t-shirts, pens and other items from Yahoo's company store.&nbsp;</p><p><em>Photo via <a href="http://www.shutterstock.com">Shutterstock</a></em></p>It's an enticing target for hackers.http://readwrite.com/2014/10/06/yahoo-servers-fall-victim-to-shellshock-bug
http://readwrite.com/2014/10/06/yahoo-servers-fall-victim-to-shellshock-bugWebMon, 06 Oct 2014 07:15:54 -0700Lauren OrsiniDamage Report: What Shellshock Has Done So Far<!-- tml-version="2" --><div tml-image="ci01a87e1f1886860f" tml-image-caption=""><figure><img src="http://a3.files.readwrite.com/image/upload/c_fill,cs_srgb,dpr_1.0,q_80,w_620/MTIxNDI3Mjk1MDQ3MTU3MjYx.jpg" /><figcaption></figcaption></figure></div><p>It’s been more than a week since security researchers discovered Shellshock, a 22-year-old bug in the bash command-line interface used in Unix by default. Now, we’re just starting to uncover the extent of the exploits hackers have committed thanks to the bug.</p><blockquote><p><strong>See also: <a href="http://readwrite.com/2014/10/02/shellshock-bash-bug-faq-explainer">Everything You Need To Know About The Shellshock Bug</a></strong></p></blockquote><p>Web-optimization company Cloudflare has blocked more than 1.1 million Shellshock attacks, the company <a href="https://blog.cloudflare.com/inside-shellshock/">said in a blog post</a>. Around 83% of these were what it calls “reconnaissance attacks,” digital excursions to scout out vulnerable networks of computers.</p><div tml-image="ci01bc0178800199de" tml-image-caption="Chart via Cloudflare"><figure><img src="http://a3.files.readwrite.com/image/upload/c_fill,cs_srgb,w_620/MTI0OTc2NTA1NjQwOTg3MjY3.png" /><figcaption>Chart via Cloudflare</figcaption></figure></div><p>Cloudflare has been closely monitoring the number and origin of Shellshock attacks toward its clients, and released a chart to convey that data. A huge number of attacks were coming from France, but it’s not clear if it’s because the attackers are located in France, or simply routing their attacks through French IP addresses. </p><p>Security research firm FireEye <a href="http://www.fireeye.com/blog/technical/2014/10/the-shellshock-aftershock-for-nas-administrators.html">discovered</a> another slew of Shellshock attacks coming from an even unlikelier place Wednesday. Using Network Attached Storage (NAS) systems—essentially large scale networked hard drives—hackers could bypass computers entirely while still maintaining remote control over any data found in the NAS. </p><p>FireEye said the attacks were targeting devices from a company called QNAP, a popular Taiwanese NAS manufacturer. QNAP has just <a href="http://www.qnap.com/useng/index.php?lang=en-us&amp;sn=885&amp;c=3036&amp;sc=&amp;n=22457">published a press release</a> urging customers to disconnect their devices from the Internet until a patch becomes available. </p><blockquote><p><strong>See also: <a href="http://readwrite.com/2014/10/01/apple-patch-for-shellshock-bug-doesnt-work">Nope! Apple's Patch Doesn't Fully Fix The Shellshock Bug Either</a></strong></p></blockquote><p>Speaking of patches, Apple’s bash bug patch seems to be doing the trick. “The vast majority of OS are not at risk," an Apple spokesperson <a href="http://readwrite.com/2014/09/26/macs-apple-vulnerable-shellshock-bug-fix-patch">has said</a>, and so far that’s been true—even though researchers say <a href="http://readwrite.com/2014/10/01/apple-patch-for-shellshock-bug-doesnt-work">Apple’s patch is incomplete</a>. Even as hackers exploit Shellshock on networks and hard drives, nobody has revealed any significant attack on Mac OS computers.</p><p><em>Photo via <a href="http://www.shutterstock.com">Shutterstock</a></em></p>Fortunately, consumer computers are in the clear.http://readwrite.com/2014/10/02/shellshock-damage-report
http://readwrite.com/2014/10/02/shellshock-damage-reportWebThu, 02 Oct 2014 07:36:36 -0700Lauren OrsiniEverything You Need To Know About The Shellshock Bug<!-- tml-version="2" --><div tml-image="ci01a8bfd7cf60860b" tml-image-caption=""><figure><img src="http://a4.files.readwrite.com/image/upload/c_fill,cs_srgb,dpr_1.0,q_80,w_620/MTE5NTU2MzIzNzQzMjcwNDEx.jpg" /><figcaption></figcaption></figure></div><p>Judging by how the past week has gone, it’ll be a while until we see the end of the Shellshock bug, an old but recently discovered flaw in Unix-like operating systems that's widespread, difficult to patch and not too hard to exploit. It's like the trifecta from hell.</p><p>Worried about what it is and how you can protect yourself? Here are some plain-English answers to your questions about this nasty bug.</p><h3>What Is Shellshock?</h3><p>The bug stems from coding mistakes in bash, a low-level computer program that's been part of many, but not all, Unix-related systems for decades. That makes the bug mostly a problem for servers that run Unix, Linux or other similar operating-system variants, although Mac users might also have something to worry about.</p><p>The name “Shellshock” is a bit of wordplay based on the fact that bash is a "<a href="http://en.wikipedia.org/wiki/Shell_(computing)">shell</a>," a type of program used to execute other programs. Bash, like many other shells, uses a text-based, command-line interface. (If you're on a Mac, you can see this by opening your Terminal program.) Programmers can use bash to access another computer or computer system remotely and feed it commands.</p><p>Bash is short for “Bourne Again SHell,” a pun on <a href="http://en.wikipedia.org/wiki/Stephen_R._Bourne">Stephen Bourne</a>, the computer-scientist author of an earlier Unix shell known simply as sh. It is compatible with every version of Unix, which made it an obvious choice for the default shell for Linux and Mac operating systems.</p><p>Bash is several decades old, and security researchers believe the Shellshock bug has lain undetected in bash for at least <a href="http://readwrite.com/2014/09/25/unix-bash-bug-shellshock-find-patch">22 years</a>. </p><h3>So Who's Vulnerable?</h3><p>Technically, any computer or system with bash installed is vulnerable. Since bash is installed by default on Unix systems, that includes a lot of computers.&nbsp;</p><p>Windows computers are safe; they don't use bash. But if you’re using a Mac or running Linux, Ubuntu, or some other Unix flavor where bash is the default interpreter, then you <em>could</em>&nbsp;be at risk.</p><p>Just because your computer is vulnerable to Shellshock, however, doesn't mean hackers can target it. For them to do so, they'd have to be able to access your computer's bash program via the Internet.</p><p>If your computer is connected to the Internet through a password-protected wireless network—or physically via an Ethernet cable—you're still basically safe. If you're using an open, untrusted Wi-Fi connect, though, you could theoretically be vulnerable to a Shellshock exploit.&nbsp;</p><p>Even that's extremely unlikely, though. The most likely targets, according to cyber security firm <a href="http://www.fireeye.com/">FireEye</a>, are Internet servers and related large computer systems.</p><h3>What About Me? Do I Have To Worry?</h3><p>Eight versions of bash contain the vulnerability, from 1.13 up to the latest 4.3. To figure out which version you are using, you can open up your Terminal program and type the following:</p><p><pre>$ bash --version</pre></p><p>To search for the bug, type:</p><p><pre>$ env X="() { :;} ; echo vulnerable" /bin/sh -c "echo stuff"</pre></p><p>If your computer responds with “vulnerable stuff” then your version of bash is indeed executing variables like code, and therefore contains the vulnerability.</p><p>Even if your computer is vulnerable, it's still extremely unlikely that you will be targeted through the Shellshock bug. It's too much effort for hackers to bypass your password-protected Internet connection just to get to it.&nbsp;</p><h3>How Do Hackers Take Advantage Of The Bug?</h3><p>Let’s take the simple test people are using to check for bash vulnerability, a command you'd issue to bash in this form:</p><p><pre>$ env X="() { :;} ; echo vulnerable" /bin/sh -c "echo stuff"</pre></p><p>If bash was working correctly, that command would assign the variable X a value—the string of characters "() { :;} ; echo vulnerable"—and would print this on the screen:</p><p><pre>stuff</pre></p><p>The bug, however, causes bash to interpret everything following that weird collection of parentheses, brackets, colons and semicolons <em>as another command</em>. In this case, that command just prints the word "vulnerable" on the screen:</p><p><pre>$ env X="() { :;} ; echo vulnerable" /bin/sh -c "echo stuff"<br tml-linebreak="true" />vulnerable<br tml-linebreak="true" />stuff</pre></p><p>But it could just as easily search for sensitive bank information, erase all your files, grant a new user untrammeled access to your computer or worse. Since bash is a key component for working on computers remotely, the hacker doesn’t even need to be anywhere near the system to do it.</p><blockquote><p><strong>See also: </strong><a href="http://readwrite.com/2014/09/29/security-flaws-ineffective-bash-shellshock-bug"><strong>New Security Flaws Render Shellshock Patch Ineffective</strong></a></p></blockquote><p>This is only the first of <a href="http://readwrite.com/2014/09/29/security-flaws-ineffective-bash-shellshock-bug">at least six bugs</a> associated with Shellshock that security researchers have found. The latest, known to researchers as <a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7186">CVE-2014-7186</a>, assists with creating denial of service attacks in which hackers can disrupt a computer’s Internet service.</p><h3>How Do I Protect Myself?</h3><p>That’s the tricky part. Security experts keep issuing patches, but researchers are simultaneously finding new related vulnerabilities. So "protection" is a moving target here, at least so far. </p><p>If you're using Linux or Unix, Red Hat developed a patch over the weekend, but you have to install it over the command line and it’s got a lot of steps. This is Red Hat’s second patch for the bug but definitely not the last—as researchers keep finding more vulnerabilities associated with Shellshock, they have to keep reinforcing the patch. This patch only offers partial protection, but you can get instructions for installing it on your machine <a href="http://readwrite.com/2014/09/26/macs-apple-vulnerable-shellshock-bug-fix-patch">here</a>.&nbsp;</p><blockquote><p>See also: <a href="http://readwrite.com/2014/09/26/macs-apple-vulnerable-shellshock-bug-fix-patch"><strong>The Bash Bug Makes Every Mac Vulnerable; Here's How To Patch It</strong></a></p></blockquote><p>Apple has maintained that the “vast majority of users” are not susceptible to the bug, only those who have customized their advanced Unix settings. To play it safe, Apple has released a patch, though security researchers have discovered new vulnerabilities associated with Shellshock that this patch doesn't fix.</p><h3>What's The Real Danger?</h3><p>Researchers have just discovered the first Shellshock botnet. (A botnet is a network of hacker-controlled computers operating maliciously as a group.) This botnet is called “<a href="http://www.itnews.com.au/News/396197,first-shellshock-botnet-attacks-akamai-us-dod-networks.aspx">wopbot</a>” and seems to be targeting a content delivery network named Akamai as well as parts of the United States Department of Defense. </p><p>When the wopbot gets ahold of susceptible computers, it uses the aforementioned&nbsp;<a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7186">CVE-2014-7186</a>&nbsp;vulnerability to launch a denial of service attack. Akami and the DoD have managed to remove wopbot's command and control center, but the server that runs the bot is still live and looking for targets.&nbsp;</p><h3>Is This As Bad As Heartbleed?</h3><p>The <a href="http://readwrite.com/2014/04/08/heartbleed-openssl-bug-cryptography-web-security">Heartbleed bug</a> let hackers exploit the way&nbsp;your browser talks to a website over an encrypted channel.&nbsp;An attacker could theoretically exploit the bug to unravel the secure channels used by banks, e-commerce sites and other sensitive locations to steal passwords and other sensitive information.</p><blockquote><p><strong>See also:&nbsp;</strong><a href="http://readwrite.com/2014/04/08/heartbleed-openssl-bug-cryptography-web-security"><strong>What You Need To Know About Heartbleed, A Really Major Bug That Short-Circuits Web Security</strong></a></p></blockquote><p>Some security researchers say Shellshock will be "<a href="http://www.technologyreview.com/view/531286/why-the-shellshock-bug-is-worse-than-heartbleed/">worse than Heartbleed</a>" since bash allows hackers to explicitly inject code on remote computers, while Heartbleed only allowed them to passively listen in on server conversations they shouldn't have had access to.&nbsp;</p><p>Furthermore, it was possible to patch Heartbleed immediately once security experts disclosed its existence. (Though many sites weren't exactly fast off the mark.) Shellshock has been a different story so far.</p><p>We’ll update this explainer as more information is available.</p><p><em>Photo via Shutterstock</em></p>Welcome to Shellshock 101.http://readwrite.com/2014/10/02/shellshock-bash-bug-faq-explainer
http://readwrite.com/2014/10/02/shellshock-bash-bug-faq-explainerWebThu, 02 Oct 2014 07:00:00 -0700Lauren OrsiniNope! Apple's Patch Doesn't Fully Fix The Shellshock Bug Either<!-- tml-version="2" --><p>Get used to reading about the bash “Shellshock” bug, because we won’t be rid of it for a while. The fix Apple released to patch it is incomplete, security researchers said. </p><blockquote><p><strong>See also: </strong><a href="http://readwrite.com/2014/09/30/apple-shellshock-patch-download"><strong>Apple Addresses Bash Bug With New Patch</strong></a></p></blockquote><p>Shellshock, a bug that allows hackers to control a system remotely by inserting commands directly into variables, is a lot bigger than we originally thought. Google security researcher Michal "<a href="https://twitter.com/lcamtuf">lcamtuf</a>" Zalewski has found six vulnerabilities associated with the bug. </p><p>Previously, Apple thought two Shellshock vulnerabilities were associated with the bash versions running by default on OS X Mavericks, Mountain Lion, Lion, and Lion Server—<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169">CVE-2014-7169</a> and <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271">CVE-2014-6271</a>.</p><p>However, security researcher Greg Wiseman <a href="http://www.cnet.com/news/apples-shellshock-patch-incomplete-say-experts/">told CNet</a> that he’s found a third. He ran a script on OS Mountain Lion and found that it’s vulnerable to <a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7186">CVE-2014-7186</a>, a vulnerability that allows attackers to remotely create denial of service attacks. </p><p>Wiseman did not say he’d found the vulnerability on systems other than Mountain Lion, but if you want to be sure about your system, you can clone Hanno Böck’s <a href="https://github.com/hannob/bashcheck">bashcheck testing script</a> from GitHub, the same one <a href="https://community.rapid7.com/community/infosec/blog/2014/09/30/apple-releases-patch-for-shellshock-may-still-be-vulnerable">Wiseman used</a> for his trials. </p><blockquote><p><strong>See also: </strong><a href="http://readwrite.com/2014/09/29/security-flaws-ineffective-bash-shellshock-bug"><strong>New Security Flaws Render Shellshock Patch Ineffective</strong></a></p></blockquote><p>Apple has maintained that the “<a href="http://readwrite.com/2014/09/26/macs-apple-vulnerable-shellshock-bug-fix-patch">vast majority of users</a>” are not susceptible to the bug, only those who have customized their advanced Unix settings. Unless that’s you, it might be preferable to sit tight. With a new patch coming out—and then being found lacking—so many days in a row, it’s clear there’s only so much we can fix on our own.</p><p><em>Photo by&nbsp;</em><a href="https://www.flickr.com/photos/nancyadair/9275739631/"><em>Adair733</em></a></p>We're in this for the long haul.http://readwrite.com/2014/10/01/apple-patch-for-shellshock-bug-doesnt-work
http://readwrite.com/2014/10/01/apple-patch-for-shellshock-bug-doesnt-workWebWed, 01 Oct 2014 06:19:36 -0700Lauren OrsiniApple Addresses Bash Bug With New Patch<!-- tml-version="2" --><p>No more command line input or complicated workarounds: Apple has released a <a href="http://support.apple.com/kb/DL1769?viewlocale=en_US&amp;locale=en_US">downloadable patch</a> for fixing the bash “Shellshock” bug. </p><p>The patch is available not only for OS X Mavericks v10.9.5., but also older versions of Apple software: OS X Lion v10.7.5, OS X Lion Server v10.7.5, and OS X Mountain Lion v10.8.5. There is currently no fix for machines running test versions of Yosemite. </p><p>Last week, an Apple spokesperson <a href="http://readwrite.com/2014/09/26/macs-apple-vulnerable-shellshock-bug-fix-patch">said</a> that “The vast majority of OS X users are not at risk to recently reported bash vulnerabilities.” However, the company acknowledged it was working on the bash patch released Monday. </p><p><strong>See also: </strong><a href="http://readwrite.com/2014/09/29/security-flaws-ineffective-bash-shellshock-bug"><strong>New Security Flaws Render Shellshock Patch Ineffective</strong></a></p><p>Security researchers recently discovered that bash, a UNIX command shell and language included in OS X, includes a 22-year-old vulnerability that allows hackers to sneak prompts in as variable names with the computer being none the wiser. As researchers discover more and more related flaws, new reinforced patches have been released every day.</p><p><em>Photo by <a href="https://www.flickr.com/photos/steventom/87568944">Steven Tom</a></em></p>Fix your Mac with one download.http://readwrite.com/2014/09/30/apple-shellshock-patch-download
http://readwrite.com/2014/09/30/apple-shellshock-patch-downloadWebTue, 30 Sep 2014 07:05:12 -0700Lauren OrsiniNew Security Flaws Render Shellshock Patch Ineffective<!-- tml-version="2" --><p>Your system is still vulnerable to the Shellshock bug, even if you’ve patched it. Security researchers have found new flaws in bash, rendering previous patches ineffective.</p><blockquote><p><strong>See also: </strong><a href="http://readwrite.com/2014/09/25/unix-bash-bug-shellshock-find-patch"><strong>How To Detect And Patch This Big, Bad Unix Bash Shellshock Bug</strong></a></p></blockquote><p>The bash shell is an omnipresent command-line interpreter used by default in Unix and Linux, and by extension, Apple’s OS X software. The shell itself is decades old, and it turns out the bug has been present for the last 22 years without detection.</p><p>Linux stewardship company Red Hat released a series of fixes to patch up the eight or so versions of bash that were vulnerable. On Friday, Red Hat released a <a href="http://www.theregister.co.uk/2014/09/28/bash_shellshock_bug_patches_released_by_red_hat/">second round of patches</a> to resolve newly discovered security flaws, and those discoveries keep coming.</p><blockquote><p><strong>See also: </strong><a href="http://readwrite.com/2014/09/26/macs-apple-vulnerable-shellshock-bug-fix-patch"><strong>The Bash Bug Makes Every Mac Vulnerable; Here's How To Patch It</strong></a></p></blockquote><p>Google security researcher Michal "<a href="https://twitter.com/lcamtuf">lcamtuf</a>" Zalewski has been tweeting as he uncovers increasingly serious vulnerabilities in the bash shell. He <a href="http://lcamtuf.blogspot.com/2014/09/bash-bug-apply-unofficial-patch-now.html">recommends</a> Red Hat security researcher Florian Weimer’s still-unofficial patch.</p><p>Shellshock exploits are spiking with the development of "<a href="http://www.itnews.com.au/News/396197,first-shellshock-botnet-attacks-akamai-us-dod-networks.aspx">wopbot</a>," the first botnet designed specifically to target the bash bug.&nbsp;</p><p>At the moment, the only people who need to worry about patching the Shellshock bug right away are system administrators and people who have tweaked the advanced Unix settings on machines running OS X or Linux.</p><p>“The vast majority of OS X users are not at risk to recently reported bash vulnerabilities," <a href="http://readwrite.com/2014/09/26/macs-apple-vulnerable-shellshock-bug-fix-patch">Apple said</a>.</p><p><em>Photo via Shutterstock</em></p>Security researchers scramble to fix the bash bug.http://readwrite.com/2014/09/29/security-flaws-ineffective-bash-shellshock-bug
http://readwrite.com/2014/09/29/security-flaws-ineffective-bash-shellshock-bugWebMon, 29 Sep 2014 06:38:46 -0700Lauren OrsiniThe Bash Bug Makes Every Mac Vulnerable; Here's How To Patch It<!-- tml-version="2" --><p><em>(<strong>Update, Sept. 29:</strong>&nbsp;News of <a href="http://readwrite.com/2014/09/29/security-flaws-ineffective-bash-shellshock-bug">additional bash vulnerabilities</a> keeps pouring in, so the procedures listed here might not fully protect your system. We'll update when we know more.)</em></p><p>Apple is aware of the bash “Shellshock” bug that affects OS X users, and issued a statement to say that the “vast majority” of Mac users should remain unaffected.</p><blockquote><p><strong>See also: </strong><a href="http://readwrite.com/2014/09/25/unix-bash-bug-shellshock-find-patch"><strong>How To Detect And Patch This Big, Bad Unix Bash Shellshock Bug</strong></a></p></blockquote><p>Bash, which stands for <a href="http://en.wikipedia.org/wiki/Bash_(Unix_shell)">Bourne Again SHell</a>, is a command-line interpreter that runs on Unix, Linux, and Apple computers. OS X Mavericks 10.9.5 shipped with Bash version 3.2, one of the <a href="http://seclists.org/oss-sec/2014/q3/650">seven versions</a> of Bash vulnerable to the Shellshock bug. </p><p>To test if you are vulnerable, you can search for the Terminal program on your computer and input this line to be sure:</p><p><pre>env X="() { :;} ; echo vulnerable" /bin/sh -c "echo stuff"</pre></p><p>If your computer responds “vulnerable, stuff”—well, you can guess what that means.</p><div tml-image="ci01bb82fe0001c80a" tml-image-caption=""><figure><img src="http://a5.files.readwrite.com/image/upload/c_fill,cs_srgb,w_620/MTI0ODM3NDQxMDQyNDIzODgw.png" /><figcaption></figcaption></figure></div><p>As evident in the screenshot, my version of bash is vulnerable to the bug—or at least it was, before I patched it (more on that in a minute).&nbsp;However, if you’re not the kind of person to mess around with advanced Unix options, Apple says the vast majority of Apple users shouldn’t worry about being vulnerable.</p><p>The vast majority of OS X users are not at risk to recently reported bash vulnerabilities," an Apple spokesperson told <a href="http://www.imore.com/apple-working-quickly-protect-os-x-against-shellshock-exploit">iMore</a>. "Bash, a UNIX command shell and language included in OS X, has a weakness that could allow unauthorized users to remotely gain control of vulnerable systems. With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services. We are working to quickly provide a software update for our advanced UNIX users.”</p><h2>How To Patch Bash 3.2 On OS X</h2><p>But what if you are an advanced Unix user? Or just a little too paranoid to take Apple at its word? If you've got some familiarity with the command line and some time on your hands, you can patch bash on your own.</p><p>First, make sure you have Apple's Xcode developer tool installed. You can check by typing "xcodebuild" into Terminal anywhere. If it says something like "xcodebuild: error: The directory X does not contain an Xcode project," then you already have it. If it says "Command not found," you need to <a href="https://developer.apple.com/xcode/downloads/">download it</a>.&nbsp;</p><p>Second, you'll want to make sure you actually are using bash version 3.2. To find out, type this into Terminal anywhere:</p><p><pre>$ bash --version</pre></p><p>If you get version 3.2.51, the default that comes with OS X, you're all set to follow these instructions to manually upgrade to the patched version, 3.2.52.</p><p>The following are instructions from <a href="http://mac-how-to.wonderhowto.com/how-to/every-mac-is-vulnerable-shellshock-bash-exploit-heres-patch-os-x-0157606/">Wonder How To</a> with additional information added for potential pitfalls. In order, you'll want to type these commands into your Terminal window.</p><p><pre>$ mkdir bash-fix
$ cd bash-fix
$ curl https://opensource.apple.com/tarballs/bash/bash-92.tar.gz | tar zxf -
$cd bash-92/bash-3.2
$ curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 | patch -p0
$ cd ..
$ sudo xcodebuild</pre></p><div tml-image="ci01bb83908001efe2" tml-image-caption=""><figure><img src="http://a5.files.readwrite.com/image/upload/c_fill,cs_srgb,w_620/MTI0ODM4MDcwNTIzNTM4MDUx.png" /><figcaption></figcaption></figure></div><p><strong>Update</strong>: There are a few more steps than I previously thought; thanks to commenters for pointing that out:</p><p>Next, you need to back up the current version of bash, just in case something goes wrong:</p><p><strong>sudo cp /bin/bash /bin/bash.old</strong></p><p><strong>sudo cp /bin/sh /bin/sh.old</strong></p><p>Then, you want to verify that you're running the latest version. Type these commands anywhere into Terminal:</p><p><strong>build/Release/bash --version</strong></p><p><strong>build/Release/sh --version</strong></p><p>Lastly, you want to copy and paste the old version and replace it with the new:&nbsp;</p><p><strong>sudo cp build/Release/bash /bin</strong></p><p><strong>sudo cp build/Release/sh /bin</strong></p><h2>Troubleshooting</h2><p>If you downloaded XCode specifically to patch bash and this is your first time using it, you will be prompted to input your password and then to agree with its terms of service by typing "agree" into Terminal. Instead of dealing with that during the fix, you may want to just type "sudo xcodebuild" anywhere in order to get it to prompt you for that stuff in advance.&nbsp;</p><div tml-image="ci01bb836c50019512" tml-image-caption=""><figure><img src="http://a5.files.readwrite.com/image/upload/c_fill,cs_srgb,w_620/MTI0ODM3OTE1MDk5NDA5MDI3.png" /><figcaption></figcaption></figure></div><p>If the commands that begin with "curl" are taking a very long time, as in more than twenty minutes (like in the screenshot above) this probably means they are about to time out. It's not abnormal; it's probably because a lot of people are working on implementing this patch.&nbsp;</p><div tml-image="ci01bb838280012a83" tml-image-caption=""><figure><img src="http://a4.files.readwrite.com/image/upload/c_fill,cs_srgb,w_620/MTI0ODM4MDEwOTMwODk0MDk4.png" /><figcaption></figcaption></figure></div><p>If that happens to you, go into Finder and find the "bash-fix" folder in your main directory. Delete the folder, empty the trash, and then go back into Terminal to restart the patch process again.&nbsp;</p><p>Ideally, Apple will come out with a patch you can just download soon because this is a lot of work. But I feel a lot better seeing a blank response in Terminal when I check for bash vulnerabilities.&nbsp;</p><p><em>Photo via Shutterstock</em></p>Apple says not to worry, but we have a fix anyway.http://readwrite.com/2014/09/26/macs-apple-vulnerable-shellshock-bug-fix-patch
http://readwrite.com/2014/09/26/macs-apple-vulnerable-shellshock-bug-fix-patchWebFri, 26 Sep 2014 08:09:46 -0700Lauren Orsini